Things to consider in an enterprise computing environment like in the MPI CBS

Permanent Link:

Overview

Computers in an enterprise environment are different compared to the ones at home. Users do have less degrees of freedom but they get certain guarantees. This page describes the pros and cons of that fact on the Linux workstations and compute servers of this institute. It might be slightly different in other research facilities or companies.

The topics below are marked with (+) (advantage) and (-) (disadavantage).

Pros and Cons of an enterprise environment

(+) Roaming between workstations

Permanent Link:

You are able to login on any Linux computer. Your computer is broken? While it's being repaired, use the one of your colleague who's currently on vacation. Since your user profile resides on a server in our network, you're not bound to a single machine.

You may even login multiple times. However, your Browser can only be opened in one of these sessions.

(-) Network-Dependency

Permanent Link:

Computers in our network are mostly useless without a network connection. Since your personal stuff is stored on a server and your programs access this storage area directly, your workstation's network connection is a hard dependency.

(+) Data protection, access permission enforcement

Permanent Link:

The IT department takes care of protecting your data and securing its integrity. This includes:

• Regular automatic backups (Snapshots) of your data
• Predicting failure of Workstation disks as early as possible
• Enforcing access restrictions on sensitive data. Nobody will get access to your data if not properly authorized—e.g. by you, your superior, an institute director or a court order.

However, physical resource limitations restrict the data volume IT is able to handle and to protect. This is why users have to carefully separate important (irreplacable) from other (replacable) data. Have a look at our Data Protection Policy for more information.

(-) Restricted Network access

Permanent Link:

You're not allowed to connect your laptop computer to the internal network. This is necessary to protect our test subject's data and less security optimized operating systems from unknown software on these machines.

However, you may connect your laptop/tablet/phone to our WiFi network. You might want to check out the Eduroam access model which grants access to a lot of other institute's WiFi networks.

(-) Artificially restricted memory

Permanent Link:

Storage on disks and memory on compute servers are being used by multiple users concurrently. IT has to make sure, a single user cannot negatively influence other users, by i.e. filling up an important Harddisk completely. This is why there are

• Disk quotas on Homedirectory storage
• Mailbox quotas on our mailserver
• Storage limits on all storageblocks in /data and /afs

(+) Software Consistency

Permanent Link:

See SoftwareServiceLinux

(+) Stable file path names

Permanent Link:

Several storage systems of the institute Data Protection Policy are guaranteed to never change their path names (stable namespace). Such a guarantee is very costly in terms of IT man hours which is why it cannot be given for all the storage types in the institute. Rules of thumb:

• /data is stable
• /afs is stable
• /NOBACKUP* cannot be guaranteed to be stable

You might find the command STORAGEPOLICY to be helpful.

(-) Mandatory updates and upgrades

Permanent Link:

IT is obligated to do security upgrades on all institute computers. Within a given platform generation, updates are done in the background without you noticing. No functional changes are introduced by such updates to computational packages. A given platform generation is only supported for a limited time - currently four years.

When security support for a platform fades out, IT has to re-install ("upgrade") a computer (i.e. your desktop PC). This is not optional! IT will remove computers without security upgrades from the internal network.

(-) Virtual trash doesn't work as expected

Permanent Link:

While it's a very good idea to use a virtual trash at home as additional protective layer against accidental file removal, this concept doesn't work well in an enterprise environment like the MPI/CBS. In such a place

• ...available storage is compartmentalized into different storage blocks with different quota limits assigned. This makes it hard for programs to keep track of the different physical folders, the virtual trash resides in.
• ...different users are working cooperatively on lots of storage blocks. Some operating systems do not take that into account (one virtual trash per user per storage block)
• ...multiple operating systems that have different strategies of how to express virtual trash in special folders are accessing the same storage.

Therefore MPI/CBS IT (like other enterprise IT depts.) uses a different approach: Snapshots and backups. If you want to restore deleted files, please write a ticked specifying the location of the file (file path), the name of the file, and the last time the file existed for sure (where, what, when).

(-) Data ownership and permission updates

Permanent Link:

For every piece of data in the institute it must be clear who gets to decide permissions for it. Only these people are then allowed to change permissions there.

See OtherPeoplesData